~ Security Researcher, Linux Tinkerer, Ukulele Strummer

tcplay – Create & use Truecrypt containers without needing Truecrypt

As promised in my previous post , I have decided to write a guide on how to use tcplay – a program which allows you to create and use Truecrypt containers without needing to use the program itself.

To understand the reasons why you would do this, it’s important to brush up on some of the recent controversy surrounding Truecrypt. To cut a long story short, it isn’t immediately clear that the downloadable versions of the Truecrypt program available from the website, represent exactly the published source code for the program. Naturally this is important to make sure there are no back doors in the software. As of Feb 2014, Truecrypt has yet to be audited to make sure this isn’t the case.

A keyfile (optional but recommended). (More info on what keyfiles are and how they keep you data safe available here).

In order to proceed, you’re going to need a “Live” USB or DVD of an Operating System (I would suggest Ubuntu Privacy Remix). Instructions to obtain the necessary disk images are available on their website. However any major distribution such as Ubuntu or Linux Mint will do. You will also need a blank DVD and disk burning software to create the Live DVD. If you’re not sure how to do this there are tutorials on their website.

Once you have your Live DVD or USB, you’ll need to insert it into your computer and boot into it.

Connect to the internet, and download one or more keyfiles that you want to use to a non persistent part of the system e.g the Desktop. It is possible to use Linux to generate keyfiles but it would be fairly obvious to anyone who saw them what they were for, which is why I suggest downloading an innocent looking file such as an mp3, jpg or pdf (see my post on ‘Truecrypt Best Practices’) for more information.

For the purposes of this tutorial I am going to assume that you have downloaded two keyfiles to use with this container, one called bubbles.jpg and the other called anthem.mp3.

N.B Do NOT save your keyfiles to the USB stick. This may be more convenient but anyone who sees them will guess what they are for and it’ll weaken your security. Ideally you should download them from the internet each time using an untraceable browser like the Tor Browser. If this isn’t possible I’d suggest keeping them on a separate drive amongst other files e.g you could use two MP3s from your music collection.

Disconnect from the internet, then open a Terminal. Don’t forget there’s no requirement for you to retype all these commands. You can copy (Ctrl + C) and paste them into the Terminal (Ctrl+left Shift+V) as you need.

Insert your USB stick and navigate to it e.g if your USB is named ‘KINGSTON’, and your username is ‘machello’ use the command:

sudo cd /media/machello/KINGSTON

Naturally you’ll need to change the username from ‘machello’ to your own username. If you’re not sure what your USB stick is called, open up the file explorer and navigate to the media folder to find out.

Now are going to create an empty container into which we can put our Truecrypt data, the following command will create a 2GB file named ‘testvol1’.sudo dd of=testvol1 bs=1G count=0 seek=2

N.B You can change the value of ‘seek’ and ‘bs’ to suit yourself. If you prefer to be more specific e.g you’d like a file named ‘testvol1’ that is 1500MB in size, you can type:

sudo dd of=testvol1 bs=1M count=0 seek=1500

Whichever you choose, you may be asked at this stage to enter your admin password if you set one up when you first booted Ubuntu. Once you’ve entered this once in the terminal, you won’t have to repeat it for the rest of this tutorial.

Next we will assign a place for our newly created volume:

sudo losetup /dev/loop0 testvol1

If you receive a message saying /dev/loop0 is busy, try substituting it for ‘/dev/loop1’, ‘/dev/loop2’ and so on until you are able to proceed. Remember this location though as you’ll need to use it in later commands.

Next we will create the encrypted container. It is possible to change pretty much all of the parameters here. I am going to assume that you want to use all three of the most popular encryption ciphers AES, Twofish and Serpent, a password and the two keyfiles we mentioned above . I’ve also chosen the Whirpool hash for our password. If you don’t know what this is, I suggest leaving this setting as is:

– It’s very important that this code is all on one line. Feel free to stick it into a text editor before pasting it into the terminal to make sure this is the case.

– The location of the keyfiles you previously downloaded on the internet may be different to the path I used for ‘keyfile’, as will your username. For instance if your username was kate and you had one keyfile named george.pdf in your downloads folder, you’d write the following command:

Once again you’ll need to amend the keyfile details in the above example accordingly or delete them altogether if you’re not using keyfiles.

Next we’ll create a filesystem for our new container. As we’re in Linux we’ll format it to ext4:

sudo mkfs.ext4 /dev/mapper/secv

Now we’re good to go. All we need to do is mount the filesystem. My preferred method is to create a folder on the desktop and link that to the container. In this example the folder will be called ‘tcmountfolder’:

sudo mkdir /home/machello/Desktop/tcmountfolder

sudo mount /dev/mapper/secv /home/machello/Desktop/tcmountfolder

sudo chmod 777 /home/machello/Desktop/tcmountfolder

Now when you close the terminal and go to the desktop you’ll see the folder and can read and write data to it as you see fit.

Once you’ve safely transferred your personal data to it, you can safely close it with the following commands :

sudo umount /home/machello/Desktop/tcmountfolder

sudo losetup /dev/loop0 testvol1

Once again you can alter these commands to take into account the currently mounted device number and the name of your container. So if for example your container was called ‘secret1’ mounted on /dev/loop1, you would type:

sudo losetup /dev/loop1 secret1
To remount the container after restarting the machine and booting back into your Live CD:

– Connect to internet and download any keyfiles you may use as applicable.

– Open the Terminal.

– Navigate to the location of your container on the USB stick as outlined above.

Assign a device to it as before:

sudo losetup /dev/loop0 testvol1

Again you need to replace ‘testvol1’ with the appropriate name of your container.

Access the container so you can put in your password and declare any keyfiles:

Create and mount a folder like before in order to be able to read from and write to the volume:

sudo mkdir /home/machello/Desktop/tcmountfolder

sudo mount /dev/mapper/secv /home/machello/Desktop/tcmountfolder

sudo chmod 777 /home/machello/Desktop/tcmountfolder

N.B The security vulnerability that’s been identified with Truecrypt relates specifically to how headers are created in volumes. As such you may want to use tcplay to create a Truecrypt volume but then use Truecrypt itself rather than the Terminal to open it up and read/write.

I have done some experimenting with Truecrypt and tcplay and believe that this is probably safe but would suggest using the command line just until the security audit is done.